Adding an Applications Launch Control rule

Support

Support for business applications

Kaspersky Embedded Systems Security 3.x

Applications Launch Control

Managing Applications Launch Control via the Application Console

Configuring Applications Launch Control rules

Adding an Applications Launch Control rule

October 25, 2023

ID 148399

Save as PDF

To add an Applications Launch Control rule using the Application Console:

Open the Applications Launch Control rules window.
Click the Add button.
In the context menu of the button, select Add one rule.
The Rule settings window opens.
Specify the following settings:
1. In the Name field, enter the name of the rule.
2. In the Type drop-down list, select the rule type:
  - Allowing, if you want the rule to allow launch of applications in accordance with the criteria specified in the rule settings.
  - Denying, if you want the rule to block launch of applications in accordance with the criteria specified in the rule settings.
3. In the Scope drop-down list, select the type of files whose execution will be controlled by the rule:
  - Executable files, if you want the rule to control launch of executable files.
  - Scripts and MSI packages, if you want the rule to control launch of scripts and MSI packages.
4. In the User or user group field, specify the users who will or will not be allowed to start programs based on the type of rule.
  1. In the context menu of the Browse button, select the method for adding trusted users.
    The User or user group selection window opens.
  2. Select a user or user group.
  3. Click the OK button.
5. If you want to take the values of the rule-triggering criteria listed in the Rule triggering criterion block from a file, do the following:
  1. Click the Set rule triggering criterion from file properties button.
    The standard Microsoft Windows Open window opens.
  2. Select the file.
  3. Click the Open button.
    The value of the criteria in the file are displayed in the fields in the Rule triggering criterion block. The criterion for which data are available in the file properties is selected by default.
6. In the Rule triggering criterion group box, select one or several of the following options as applicable:
  - Digital certificate, if you want the rule to control the launch of applications launched using files signed with a digital certificate:
    - Select the Use subject check box if you want the rule to control the launch of files signed with a digital certificate only with the specified subject.
    - Select the Use thumb check box if you want the rule to only control the launch of files signed with a digital certificate with the specified thumbprint.
  - SHA256 hash, if you want the rule to control the launch of programs launched using files whose checksum matches the one specified.
  - Path to file, if you want the rule to control the launch of programs launched using files located at the specified path.
    - Command line if you want the rule to control the start of programs launched using the arguments specified in the command line field. The field is enabled after you select the Path to file option. You can use ? and * characters as a mask when specifying the command line arguments for launched processes as a criterion.
    Kaspersky Embedded Systems Security for Windows does not recognize paths that contain slashes ("/"). Use backslash ("\") to enter the path correctly.
    
    When specifying the objects, you can use ? and * characters as file masks.
  You should select at least one option. Otherwise, the Application Launch Control rule is not added.
7. If you want to add rule exclusions:
  1. In the Exclusions from rule section, click the Add button.
    The Exclusion from rule window opens.
  2. In the Name field, enter the name of the exclusion.
  3. Specify the settings for exclusion of application files from the Applications Launch Control rule. You can fill out the settings fields from the file properties by clicking the Set exclusion based on file properties button.
    - Digital certificate
      If this option is selected, the presence of a digital certificate is specified as a rule triggering criterion in the settings of the newly generated allowing rules for Applications Launch Control. The application will now allow start of programs launched using files with a digital certificate. We recommend this option if you want to allow the start of any applications that are trusted in the operating system.
      
      This option is selected by default.
    - Use subject
      The check box either enables or disables the use of the subject of the digital certificate as a rule triggering criterion.
      
      If the check box is selected, the specified digital certificate subject is used as a rule triggering criterion. The created rule will control the start of applications only for the vendor specified in the subject.
      
      If the check box is cleared, the application will not use the subject of the digital certificate as a rule triggering criterion. If the Digital certificate criterion is selected, the created rule will control the start of applications signed with a digital certificate containing any subject.
      
      The subject of the digital certificate used to sign the file can be specified only from the properties of the selected file using the Set rule triggering criterion from file properties button located above the Rule triggering criterion block.
      
      By default, the check box is cleared.
    - Use thumb
      The check box enables / disables the use of the thumbprint of the digital certificate as a rule triggering criterion.
      
      If the check box is selected, the specified digital certificate thumbprint is used as a rule triggering criterion. The created rule will control the start of applications signed with a digital certificate with the specified thumbprint.
      
      If the check box is cleared, the application will not use the thumbprint of the digital certificate as a rule triggering criterion. If the Digital certificate criterion is selected, the application will control the start of applications signed with a digital certificate with any thumbprint.
      
      The thumbprint of the digital certificate used to sign the file can be specified only from the properties of the selected file using the Set rule triggering criterion from file properties button located above the Rule triggering criterion block.
      
      By default, the check box is cleared.
    - SHA256 hash
      If this option is selected, the checksum of the file used to generate the rule is specified as a rule triggering criterion in the settings of the newly generated allowing rules for Applications Launch Control. The application will allow start of programs launched using files with the specified checksum.
      
      We recommend this option for cases when the generated rules must achieve the highest level of security: a SHA256 checksum may be used as a unique file ID. Using a SHA256 checksum as a rule triggering criterion restricts the rule usage scope to one file.
    - Path to file
      If this option is selected, Kaspersky Embedded Systems Security for Windows uses the full path to the file to determine whether the process is trusted.
  4. Click the OK button.
  5. If necessary, repeat steps (i)-(iv) to add additional exclusions.
Click the OK button in the Rule settings window.

The created rule is displayed in the list in the Applications Launch Control rules window.

Kaspersky Professional Services

Implementation services. Health check and security system configuration. Contact us if you need expert help.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.